160 Series Recovery Agent Compliance: What Lenders Must Know About Outsourcing

Key Facts at a Glance

Item	Detail
Primary regulation	TCCCPR, 2018 (Second Amendment, 12 Feb 2025)
Governing body	TRAI / DoT
Applies to	Banks, NBFCs, fintechs, BPOs acting on behalf of RBI-regulated entities
Mandated number series	1600/1601xxxxxxx for all service and transactional calls
First-violation penalty	Rs 2,00,000 per instance
Blacklist trigger	5 valid complaints in any rolling 10-day period
IIBF certification	Mandatory for every recovery agent (100 hrs non-graduates; 50 hrs graduates)
RBI collection call hours	08:00 to 19:00 IST only
Deadline status	Phase-wise adoption underway; SEBI AMCs by 15 Feb 2026, QSBs by 15 Mar 2026

• A Principal Entity such as a bank or NBFC bears vicarious liability under TCCCPR 2018 for every call its outsourced recovery agent makes, whether or not the entity knew about the violation.
• Recovery agents must make all collections calls from the Principal Entity’s allocated 1600/1601 number. Using a personal mobile or the agency’s own pool is a direct TCCCPR breach.
• Every individual recovery agent must hold a valid IIBF Debt Recovery Agent (DRA) certificate before making any collections call on the lender’s behalf.
• All outbound recovery calls must stay within the 08:00 to 19:00 IST window set by the RBI Fair Practices Code.
• FreJun provisions the 160 series number and routes all agent calls through it, giving lenders a single compliant trunk for every outsourced recovery operation.

Table of Contents

1. Why Outsourcing Creates a Recovery Agent Compliance Risk
2. Vicarious Liability Under TCCCPR: Why the Lender Always Owns the Risk
3. The Number-Pool Rule: Which Number Must Recovery Agents Use?
4. IIBF Certification: The Recovery Agent Compliance Step Most Lenders Skip
5. RBI Fair Practices Code and Calling Hours for Recovery Calls
6. Content Templates, DLT Registration, and Recovery Agent Compliance
7. Contractual Safeguards: What the Outsourcing Agreement Must Say
8. Penalties When Recovery Agent Compliance Breaks Down
9. How FreJun Helps Lenders Maintain Recovery Agent Compliance
10. Frequently Asked Questions
11. Key Takeaways

Recovery agent compliance under India’s 160 series mandate is the most common gap I see in BFSI collections operations. Typically, lenders procure the 1600/1601 number and route it through their in-house dialer. Then they hand accounts to an outsourced BPO. However, they forget that the 160 series obligation follows the account. Every recovery call the agent makes from a personal mobile is a TCCCPR violation. That violation attributes to the lender, not the agent. This article explains why that happens. Specifically, it covers what the law says and what every compliance officer must do to close the gap.

Importantly, recovery agent compliance sits at the intersection of three regulatory instruments. First, the Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR) as amended on 12 February 2025. Second, the RBI Fair Practices Code for Lenders. Third, the RBI Master Direction on Outsourcing of IT Services dated 10 April 2023. Understanding how these three work together is essential. Every compliance officer, collections head, or operations manager who relies on outsourced BPOs needs this knowledge.

FreJun provisions your 1601 number and routes all recovery agent calls through it automatically. No separate number pools, no manual configuration, no TCCCPR exposure at the agent layer. Most BFSI teams go live within 48 hours.

Talk to FreJun’s Legal Team

Why Outsourcing Creates a Recovery Agent Compliance Risk

Outsourced recovery creates a specific recovery agent compliance risk because the agent, not the lender, controls the outbound dial. When a recovery agency calls from its own number pool, it uses a number the DoT never allocated to the Principal Entity. Under the DoT Press Release dated 30 May 2024 (PRID 2022249), the 160xxxxxxx series belongs to the Principal Entity. The allocation is entity-specific. Crucially, it does not transfer to an agent. Furthermore, it does not cover calls the agent makes from a different trunk.

Additionally, a standard 10-digit mobile number used by a recovery agent to call a borrower is now a compliance red flag. The DoT introduced the 160 series to close the fraud window. Genuine entities using 10-digit numbers for service calls created that window. Consequently, a lender whose agent calls from a personal mobile contributes to the very problem the regulation was designed to solve.

Why Recovery Agent Compliance Gaps Are So Widespread

Recovery agent numbers grew by 50 per cent between July and December 2024, rising from 6,000 to 8,800 out of 82,000 total outsourced BFSI staff, according to TeamLease Services data (Business Standard, January 2025). Growth at that pace means lenders onboard BPO partners quickly. Most provision the 160 number for in-house teams first. The BPO extension gets deferred. By the time portfolio stress peaks, the outsourced recovery operation runs on non-compliant numbers.

The Structural Gap in Most Outsourcing Contracts

In practice, most BFSI outsourcing contracts treat the 160 number as an in-house asset. Typically, the contract gives the BPO a list of borrower accounts, a script, and a calling schedule. It does not specify which originating number the BPO must use. That gap is the compliance failure. Recovery agent compliance under the 160 series requires a technical routing obligation. Moreover, it must be written into the contract and enforced at the dialer level, not just stated as a policy.

Vicarious Liability Under TCCCPR: Why the Lender Always Owns the Risk

Vicarious liability under the TCCCPR means the Principal Entity legally owns its agent’s telecom conduct. The TRAI Direction dated 19 November 2025 (PRID 2191647) is explicit on this. The 1600/1601 number belongs to the Principal Entity. Consequently, the entity bears the compliance burden for every call the agent makes using or purporting to use its regulated identity. A penalty or blacklisting action arising from the agent’s non-compliant call targets your entity, not the agency.

Three Sources of Vicarious Liability for Recovery Agent Calls

The TCCCPR imposes the obligation on the registered sender, which is the Principal Entity. Specifically, the sender cannot transfer that obligation to an agent. Additionally, the RBI Fair Practices Code makes the lending institution responsible for its agent’s conduct toward borrowers. This covers telephone harassment and contact outside prescribed hours. Furthermore, the RBI Master Direction on Outsourcing of IT Services, dated 10 April 2023, (rbi.org.in) requires that outsourcing arrangements not weaken the entity’s ability to fulfil its customer obligations.

In practice, a single non-compliant recovery call can trigger three simultaneous responses. TRAI can act under TCCCPR. RBI can act under the Fair Practices Code. The Outsourcing Master Direction also applies. The practical step here is clear. Treat every recovery agent as a compliance extension of your own team for every call they make on your behalf.

The Blacklist Trigger That Can Halt Your Entire Operation

Under the TCCCPR Second Amendment, 2025, the blacklist trigger tightened to 5 valid complaints in any rolling 10-day period. Previously the threshold was 10 complaints in 7 days. Additionally, consumers no longer need DND registration to file a complaint. For a large recovery portfolio, 5 complaints can arrive before your compliance team identifies the issue. Specifically, each complaint from a borrower who received a call from a personal mobile can count. Moreover, the maximum blacklist duration is one year across all telecom resources at all TSPs. For a BFSI entity, therefore, OTP delivery stops, customer service calls stop, and collections stop entirely.

The Number-Pool Rule: Which Number Must Recovery Agents Use?

The number-pool rule for recovery agent compliance is straightforward. Every outbound call the agent makes on the lender’s behalf must originate from the lender’s allocated 1600/1601 number. The agent cannot use a personal mobile or the agency’s own 160 number. Additionally, a virtual number masking the caller ID is also prohibited. Furthermore, standard landlines and PRIs are not permitted either. Section 42 of the Telecommunications Act, 2023 criminalises spoofing or masking the caller identification. The punishment is up to three years of imprisonment, a fine up to Rs 50 lakh, or both.

The Segregation Obligation at the Technical Layer

Recovery agent compliance requires a technical control, not just a written policy. TRAI and regulators consistently hold that the routing boundary must exist at the system level. The dialer must route all recovery calls from the Principal Entity’s 1600/1601 trunk. The same dialer instance cannot mix promotional 140 traffic with 1600/1601 transactional traffic. Marketing campaigns and collections calls must run through separate outbound trunks.

For lenders using an outsourced BPO, the BPO must connect to the lender’s SIP trunk. Specifically, that trunk carries the 160 number. Notably, the BPO’s physical office location does not change the compliance outcome. What matters is the originating number on the call. Without a technical trunk integration, the agent still calls from the BPO’s own number. That is a TCCCPR violation.

Sub-Allocation Is Not Permitted Under Any Circumstance

A lender cannot sub-allocate its 1600/1601 number to a recovery agency. The number is a State telecom resource allocated to the Principal Entity. Transfer to a subsidiary, group company, or outsourcing partner requires separate TSP eligibility verification. Similarly, sub-allocation and licensing require the same separate verification. Technical routing integration through the lender’s own trunk is the only lawful mechanism. Specifically, it is the only way to extend 160 series coverage to outsourced agents. A dedicated 160 number for the BPO is only lawful in one situation. The BPO must independently qualify as a Principal Entity under a sectoral regulator.

IIBF Certification: The Recovery Agent Compliance Step Most Lenders Skip

Before a recovery agent makes a single call, they must hold a valid DRA certificate. The Indian Institute of Banking and Finance (IIBF) issues this certificate. Importantly, this is an RBI mandate, not a voluntary practice. RBI directed the Indian Banks’ Association to develop this certification with IIBF. Banks and NBFCs must ensure all recovery agents complete the required training. They must obtain DRA certification from IIBF before performing recovery functions (IIBF FAQ, iibf.org.in). Therefore, no agent may perform recovery work without it.

Training Hours Required by Education Level

Training duration depends on the agent’s education. Graduates and above must complete 50 hours at an IIBF-accredited institute. Non-graduates with at least SSC (Class 10) must complete 100 hours. BPO and call centre employees with a graduate degree also qualify for the 50-hour track. After training, the candidate must pass the IIBF DRA Certificate Examination within 9 months, with up to 3 attempts available. The examination consists of 90 MCQs worth 100 marks. Candidates need at least 50 per cent to pass.

DRA certification requires renewal every 5 years through a refresher course and recertification exam. Furthermore, the obligation extends to service providers engaged by banks and NBFCs. If a BPO runs your recovery operations, that BPO must ensure all its agents hold valid IIBF DRA certificates. However, your compliance team should verify certification status independently before any outsourcing engagement begins and at each annual vendor review. Consequently, vicarious liability means you cannot rely solely on the BPO’s warranty.

The Board-Approved Code of Conduct Requirement

In addition to individual agent certification, the Principal Entity must maintain a board-approved Code of Conduct for recovery agents. This Code must cover conduct standards and prohibited practices. Abusive language and calls to relatives are prohibited. The Code must also address escalation procedures and grievance redressal. The RBI Responsible Business Conduct Directions require board-level approval, not simply management sign-off. Absence of this Code is an independent regulatory violation, separate from any specific calling breach.

RBI Fair Practices Code and Calling Hours for Recovery Calls

All outbound recovery calls must happen between 08:00 and 19:00 IST only. The RBI Fair Practices Code for Lenders sets this rule. However, customer-initiated contact outside that window is permitted. If a borrower calls at 20:00, the agent may respond. Outbound recovery calls outside 08:00 to 19:00 are never permitted, regardless of the borrower’s preference. Notably, this applies to every voice call, including calls from a compliant 160 number.

How the 30-Minute Transactional Window Interacts With Recovery Calls

The TCCCPR Second Amendment, 2025 introduces a separate timing rule for transactional calls. A transactional call must go out within 30 minutes of the customer-initiated event that triggered it. OTP delivery and immediate payment confirmation are examples of transactional calls. This rule does not govern typical collections calls. Collections calls are service calls under the TCCCPR framework, not transactional calls. However, a collections platform that blends OTP delivery with EMI reminders must apply separate call-type logic to each. Routing both through one dialer without differentiated timing controls creates a specific compliance gap.

Consent and the 90-Day Opt-Out Lockout for Collections

Under the Second Amendment, 2025, implicit consent for service calls holds for the duration of the underlying contract. For example, for a loan, the entity may call the borrower throughout the loan tenure. Once a borrower opts out, the entity cannot contact them for the same purpose for 90 days. Specifically, that lockout starts from the opt-out date. This 90-day lockout applies even to overdue accounts. Recovery teams must build opt-out status checks into the dialer pre-call screening workflow. Therefore, every outbound attempt must check opt-out status first, or risk a TCCCPR violation on every call to an opted-out borrower.

Content Templates, DLT Registration, and Recovery Agent Compliance

Every voice script a recovery agent uses must register as a content template on the DLT platform. Specifically, prior registration is mandatory before any call. This covers the IVR opener, agent introduction, and payment reminder message. Each template carries a unique Template ID that must pass in the call signalling. Calling with an unregistered or blacklisted template is a TCCCPR violation. Notably, this applies even when the originating number is a valid 1600/1601 allocation.

What Templates a Collections Workflow Needs

A typical BFSI collections workflow requires separately registered DLT templates for each communication step. These include the IVR greeting, agent self-introduction, and payment reminder message. Post-call SMS summaries and follow-up IVR messages also need separate templates. Furthermore, each language variant, including English, Hindi, and regional languages, needs its own registered template. In my practice advising telecom-sector clients, the DLT template registration step takes 2 to 3 weeks for first-time registrants. The access provider must review and approve each template before use. Plan for this lead time in your migration schedule.

Digital Consent Acquisition and TCCCPR Alignment

The Digital Consent Acquisition (DCA) framework on the DLT platform requires consent records that meet specific technical standards. A verbal agreement from the borrower at loan disbursement does not satisfy this requirement. The consent record must register on the DLT platform in the DCA-compliant format. Therefore, your legal team must map every consent collection touchpoint in the loan origination workflow to a corresponding DCA-compliant record. Consequently, undocumented verbal consent does not satisfy the Second Amendment, 2025 requirements.

Contractual Safeguards: What the Outsourcing Agreement Must Say

The outsourcing agreement must expressly incorporate recovery agent compliance obligations specific to the 160 series. However, a generic data protection clause or broad compliance warranty is not sufficient. The agreement must address at least six specific obligations to satisfy both the TCCCPR and the RBI Outsourcing Direction requirements.

Six Mandatory Clauses for Every Recovery Agency Contract

• Originating number obligation. The agency must make all calls on the lender’s behalf exclusively from the lender’s allocated 1600/1601 number, routed through the lender’s telephony infrastructure. Using any other number is a material breach.
• IIBF certification warranty. The agency warrants that every agent deployed on the lender’s accounts holds a valid, unexpired IIBF DRA certificate. A certified list of agents and IIBF registration numbers must arrive before deployment. Updates must follow within 3 business days of any personnel change.
• Calling hours restriction. All outbound calls must occur between 08:00 and 19:00 IST only. The agency must implement a technical dialer control to enforce this window, not just a policy instruction to agents.
• DLT template compliance. The agency must use only templates the lender registered on the DLT platform. Deviation from registered script content is a TCCCPR violation the lender owns.
• Audit rights and CDR retention. The lender must have the right to audit the agency’s call records, CDRs, IIBF certificates, and complaint logs at any time on reasonable notice. The agency must retain CDRs for the period the lender’s TSP licence and sectoral regulator require.
• Indemnity for TCCCPR violations. The agency must indemnify the lender against any TCCCPR penalty, blacklisting action, or regulatory sanction arising from the agency’s compliance failures. Note: this indemnity creates a right of financial recourse after a violation. It does not prevent TRAI or RBI from acting against the Principal Entity first. An indemnity clause is not a substitute for actual recovery agent compliance.

That last point deserves emphasis. In my practice advising telecom-industry clients, I have seen lenders treat the indemnity clause as their primary compliance mechanism. TRAI acts against the Principal Entity regardless of the indemnity. The indemnity is a financial remedy after the fact, not a pre-emptive compliance measure. Recovery agent compliance requires technical controls, not just contractual protections.

Penalties When Recovery Agent Compliance Breaks Down

A single non-compliant recovery call made from a non-160 number can trigger action under four separate legal instruments simultaneously. Each layer applies independently of the others.

TCCCPR Financial Penalties and Blacklisting

Under the TCCCPR Second Amendment, 2025, the penalties are graded. The first violation costs Rs 2,00,000. The second costs Rs 5,00,000. Each subsequent violation costs Rs 10,00,000. Specifically, these apply per instance. Therefore, each non-compliant call in a campaign can attract a separate penalty. If the 5-complaint blacklist threshold crosses in a 10-day window, TRAI acts immediately. On the first violation, TRAI bars outgoing services on all telecom resources for 15 days. Repeat violations can result in a one-year disconnection across all TSPs (TRAI Direction, PRID 2191647, 19 November 2025).

Classification as Unregistered Telemarketer

If the recovery agency calls from a 10-digit mobile, TRAI classifies those calls as Unsolicited Commercial Communication. Specifically, TRAI treats them as calls from an Unregistered Telemarketer (UTM). The UTM enforcement path is a warning on the first violation. The second violation brings a 20-calls-per-day cap for six months. The third and each subsequent violation results in disconnection of all telecom resources. Importantly, TRAI applies the UTM classification to the lender, not just the agent. The entity on whose behalf the calls occur owns the classification.

RBI Supervisory Action and Criminal Exposure

Non-compliance with the 160 series mandate can attract RBI supervisory action. Combined with Fair Practices Code violations, Specifically, RBI may act under Section 35A of the Banking Regulation Act, 1949 or Section 45L of the RBI Act, 1934. Monetary penalties under Sections 46 and 47A of the Banking Regulation Act, 1949 are also available to RBI. Notably, RBI applies these independently of any TRAI penalty for the same conduct. Additionally, if a recovery agent uses a spoofed caller ID, Section 42 of the Telecommunications Act, 2023 applies. The punishment is up to three years of imprisonment, a fine up to Rs 50 lakh, or both.

How FreJun Helps Lenders Maintain Recovery Agent Compliance

FreJun’s platform handles the technical recovery agent compliance layer: number provisioning, routing segregation, DLT template management, CDR logging, and CRM integration. FreJun provisions your 1601 number and integrates with your dialer, whether in-house or BPO-hosted. It routes all agent calls through your allocated 160 series trunk. Consequently, this eliminates the number-pool segregation risk at the technical layer, not just through a policy instruction to agents.

FreJun integrates with HubSpot, Zoho, Salesforce, and Leadsquared. Your compliance team can monitor call metadata and verify every recovery call used the correct originating number. Additionally, FreJun generates the CDR audit trail that TRAI, RBI, and your internal audit team may require. For lenders managing large outsourced recovery portfolios across multiple BPOs, FreJun provides a single compliant trunk. All BPO partners connect to it. Consequently, no BPO maintains a separate, potentially non-compliant telephony setup.

For a broader view of the 160 series mandate in the complete BFSI compliance framework, read our BFSI Communication Compliance Guide 2026. For a comparison of the 160 series and 140 series in a BFSI outreach strategy, see our article on the 160 series vs 140 series.

See how FreJun routes all recovery agent calls through your 160 series number, logs every CDR against the correct Template ID, and gives your compliance team a real-time audit trail. Most lenders configure the full setup within two business days.

Talk to FreJun’s Legal Team

Frequently Asked Questions

160 series vs 140 series: which one must recovery agents use for collections calls?

Recovery calls are service calls, not promotional calls. Agents must use the 160 series, specifically 1601 for RBI-regulated entities. The 140 series serves only promotional and telemarketing calls under the DoT Press Release dated 30 May 2024 (PRID 2022249). Using a 140 number for a recovery call is a direct TCCCPR violation that the Principal Entity owns.

What is the penalty if a recovery agent uses a personal mobile number for collections calls?

Under the TCCCPR Second Amendment, 2025, the first violation costs Rs 2,00,000. The second costs Rs 5,00,000. Each subsequent violation costs Rs 10,00,000. If 5 complaints arrive in 10 days, TRAI can bar all outgoing telecom services for 15 days. Repeat violations result in a one-year blacklist across all TSPs, halting OTPs, service calls, and collections entirely.

How does a lender get a 1601 number allocated for recovery operations?

The lender applies to its Telecom Service Provider for a 1600/1601 number. The TSP verifies eligibility as an RBI-regulated entity. It also requires an undertaking that the number will serve only service and transactional calls under TCCCPR 2018. The SARAL SANCHAR portal at saralsanchar.gov.in can verify TSP licence status. FreJun manages this end-to-end for its BFSI clients, including DLT template registration and dialer integration.

Can the recovery agency hold its own 1601 number for calls on the lender’s behalf?

Only if the recovery agency itself qualifies as a BFSI Principal Entity regulated by RBI, SEBI, PFRDA, or IRDAI. A BPO or third-party collections agency without independent sectoral regulation cannot hold a 1601 number for the lender’s calls. Those calls must route through the lender’s own allocated number via a technical trunk integration.

Is IIBF DRA certification mandatory for BPO employees who make recovery calls?

Yes. IIBF DRA certification is mandatory for every individual who performs recovery functions, including BPO and call centre employees. BPO employees with a graduate degree must complete 50 hours of accredited training and pass the IIBF DRA examination. Banks and NBFCs must confirm all recovery agents, in-house or outsourced, hold valid IIBF certificates before deployment.

What calling hours apply to outsourced recovery agents under RBI rules?

Outbound recovery calls must occur between 08:00 and 19:00 IST only, as the RBI Fair Practices Code for Lenders mandates. Customer-initiated contact outside those hours is permitted. The lender must implement a technical dialer control to enforce this window. A policy instruction to agents alone does not satisfy the obligation.

Does the 90-day opt-out lockout apply to recovery agent compliance for overdue loans?

Yes. Under the TCCCPR Second Amendment, 2025, once a borrower opts out, the entity cannot contact them for 90 days. That lockout covers the same purpose and starts from the opt-out date. This applies even to overdue loan recovery. The dialer pre-call screening workflow must check opt-out status before every outbound recovery attempt, including calls on delinquent accounts.

Key Takeaways

• Recovery agent compliance under the 160 series places full vicarious liability on the Principal Entity for every non-compliant call its outsourced agent makes. The liability follows the entity, not the agent.
• All recovery calls must originate from the lender’s allocated 1600/1601 number. The routing must exist at the technical level. BPO dialers must connect through the lender’s compliant SIP trunk.
• Every individual recovery agent, including those at outsourced BPOs, must hold a valid IIBF Debt Recovery Agent certificate before making any collections call on behalf of a bank or NBFC.
• The Principal Entity must maintain a board-approved Code of Conduct for recovery agents covering prohibited practices, escalation procedures, and grievance redressal mechanisms.
• The outsourcing agreement must specifically address the 1600/1601 number obligation, IIBF certification warranty, calling hours, DLT template compliance, audit rights, and CDR retention. A generic compliance clause does not satisfy this requirement.
• The TCCCPR Second Amendment, 2025 blacklist trigger is 5 complaints in 10 days. For a large recovery portfolio with many agents, that threshold crosses quickly when agent conduct is not monitored in real time.
• FreJun provisions the 160 number, routes all agent calls through it, logs CDRs against the correct DLT Template ID, and integrates with major CRMs, providing the technical recovery agent compliance layer most lenders currently lack.

Compliance Disclaimer

Disclaimer: This article is published for informational purposes only and represents FreJun’s understanding of the relevant legal and regulatory position based on its own independent research and interpretation of publicly available materials. It should not be construed as legal advice, legal opinion, or regulatory guidance. Readers are encouraged to seek independent legal counsel or consult the appropriate regulatory authorities before taking any action based on the information contained herein. While reasonable efforts have been made to ensure the accuracy and completeness of the information presented, laws, regulations, interpretations, and enforcement positions may evolve or vary based on specific facts and circumstances. FreJun does not warrant that the contents are free from inaccuracies, omissions, or inadvertent errors and shall not be responsible or liable for any misinformation, inaccuracies, or reliance placed upon the contents of this article, whether published knowingly or unknowingly.

References and Sources

• DoT Press Release, 30 May 2024 (PRID 2022249) – pib.gov.in
• TRAI Direction, 19 November 2025 (PRID 2191647) – pib.gov.in
• TRAI Direction, 16 December 2025 (PRID 2205350) – pib.gov.in
• TCCCPR Second Amendment, 12 February 2025 – trai.gov.in (PDF)
• RBI Master Direction on Outsourcing of IT Services, 10 April 2023 – rbi.org.in
• IIBF DRA Certification FAQ – iibf.org.in
• Business Standard: Recovery Agent Demand in BFSI, January 2025 – business-standard.com
• SARAL SANCHAR Portal (TSP Licence Verification) – saralsanchar.gov.in